Acymailing vulnerability exploited in the wild

  • Jose
  • Topic Author
  • Offline
  • Administrator
  • Administrator
More
1 month 14 hours ago - 4 weeks 1 day ago #9552 by Jose
Hi there,

A couple of days ago, Securitycheck Pro alerted about a new file in a site of a customer I manage. The file, named "thumbnail_91.png_.php", it was a php file hide behind a png extension:
 
After some further investigation, I discovered that attackers were using an unknow vulnerability in Acymailing to upload the file. I contacted the developers, who confirmed the vulnerability and a patch in a future version.

In the meantime, add the words "setNewThumbnail" and "setNewIconShare" to the url inspector to be protected, or edit the file /administrator/components/com_acym/controllers/mails/Edition.php and in the setNewThumbnail function near line 800, add this code:
Code:
exit;

It should look like this:
 

Update [05/07/23]: In older versions of Acymailing the path is /administrator/components/com_acym/controllers/mails.php

Regards,
Jose
Last edit: 4 weeks 1 day ago by Jose.

Please Log in or Create an account to join the conversation.

Time to create page: 0.203 seconds